Digital signatures on a smartcard

ABSTRACT

A digital signature scheme for a “smart” card utilizes a set of prestored signing elements and combines pairs of the elements to produce a new session pair. The combination of the elements is performed partly on the card and partly on the associated transaction device so that the exchange of information between card and device does not disclose the identity of the signing elements. The signing elements are selected in a deterministic but unpredictable manner so that each pair of elements is used once. Further signing pairs are generated by implementing the signing over an anomalous elliptic curve encryption scheme and applying a Frobenius Operator to the normal basis representation of one of the elements.

BACKGROUND OF THE INVENTION

This application is a continuation of U.S. patent application Ser. No.10/765,976 filed on Jan. 29, 2004 which is division of U.S. patentapplication Ser. No. 09/942,492 filed on Aug. 29, 2001, now U.S. Pat.No. 6,704,870 which is a continuation of U.S. patent application Ser.No. 09/434,247 filed on Nov. 5, 1999, now U.S. Pat. No. 6,925,564 whichis a continuation in part of U.S. patent application Ser. No. 08/632,845filed on Apr. 16, 1996, now U.S. Pat. No. 5,999,625.

1. Field of the Invention

The present invention relates to methods and apparatus for generatingdigital signatures.

2. Discussion of Related Art

It has become widely accepted to conduct transactions, such as financialtransactions or exchange of documents, electronically. In order toverify the transaction, it is also well known to “sign” the transactiondigitally so that the authenticity of the transaction can be verified.The signature is performed according to a protocol that utilizes themessage, i.e. the transaction, and a secret key associated with thepart. The recipient can verify the signature using a public key of thesigning party to recover the message and compare it with the transmittedmessage. Any attempt to tamper with the message or to use a key otherthan that of the signing party will result in an incompatibility betweenthe sent message and that recovered from the signature or will fail toidentify the party correctly and thereby lead to rejection of thetransaction.

The signature must be performed such that the signing party's secret keycannot be determined. To avoid the complexity of distributing secretkeys, it is convenient to utilize a public key encryption scheme in thegeneration of the signature. Such capabilities are available where thetransaction is conducted between parties having access to relativelylarge computing resources but it is equally important to facilitate suchtransactions at an individual level where more limited computingresources are available.

Automated teller machines (ATMs) and credit cards are widely used forpersonal transactions and as their use expands, so the need to verifysuch transactions increases. Transaction cards, i.e. credit/debit cardsor pass cards are now available with limited computing capacity(so-called “Smart Cards”) but these do not have sufficient computingcapacity to implement existing digital signature protocols in acommercially viable manner.

As noted above, in order to generate a digital signature, it isnecessary to utilize a public key encryption scheme. Most public keyschemes are based on the Diffie Helman Public key protocol and aparticularly popular implementation is that known as DSS. The DSS schemeutilizes the set of integers Zp where p is a large prime. For adequatesecurity, p must be in the order of 512 bits although the resultantsignature may be reduced mod q, where q divides p−1, and may be in theorder of 160 bits.

The DSS protocol provides a signature composed of two components r, s.The protocol requires the selection of a secret random integer kreferred to as the session key from the set of integers (0, 1, 2, . . .q−1), i.e.k∈{0, 1, 2, . . . q−1}.The component r is then computed such thatr={β^(k) mod p} mod q

where β is a generator of q.

The component s is computed ass=[k ⁻¹(h(m))+ar] mod q

where m is the message to be transmitted,

-   -   h(m) is a hash of that message, and    -   a is the private key of the user.

The signature associated with the message is then s, r which may be usedto verify the origin of the message from the public key of the user.

The value β^(k) is computationally difficult for the DSS implementationas the exponentiation requires multiple multiplications mod p. This isbeyond the capabilities of a “Smart Card” in a commercially acceptabletime. Although the computation could be completed on the associated ATM,this would require the disclosure of the session key k to the ATM andtherefore render the private key, a, vulnerable.

It has been proposed to precompute β^(k) and store sets of values of rand k on the card. The generation of the signature then only requirestwo 160 bit multiplications and signing can be completed within ½ secondfor typical applications. However, the number of sets of values storedlimits the number of uses of the card before either reloading orreplacement is required. A problem that exists therefore is how togenerate sufficient sets of values within the storage and/or computingcapacity of the card.

One possibility is to use a smaller value of p but with the DSS schemethis will jeopardize the security of the transaction.

An alternative encryption scheme that provides enhanced security atrelatively small modulus is that utilizing elliptic curves in the finitefield 2^(m). A value of m in the order of 155 provides securitycomparable to a 512 bit modulus for DSS and therefore offers significantbenefits in implementation.

Diffie Helman Public Key encryption utilizes the properties of discretelogs so that even if a generator β and the exponentiation β^(k) isknown, the value of k cannot be determined. A similar property existswith elliptic curves where the addition of two points on a curveproduces a third point on the curve. Similarly, multiplying any point onthe curve by an integer k produces a further point on the curve.However, knowing the starting point and the end point does not revealthe value of the integer ‘k’ which may then be used as a session key forencryption. The value kP, where P is an initial known point. istherefore equivalent to the exponentiation β^(k).

In order to perform a digital signature on an elliptic curve, it isnecessary to have available the session key k and a value of kP referredto as a “session pair”. Each signature utilizes a different session pairk and kP and although the representation of k and kP is relatively smallcompared with DSS implementations, the practical limits for “SmartCards” are in the order of 32 signatures. This is not sufficient forcommercial purposes.

One solution for both DSS and elliptic curve implementations is to storepairs of signing elements k, kP and combine stored pairs to produce anew session pair. For an elliptic curve application, this would yield apossible 500 session pairs from an initmi group of 32 stored signingelements. The possibilities would be more limited when using DSS becauseof the smaller group of signing elements that could be stored.

In order to compute a new session pair, k and kP, from a pair of storedsigning elements, it is necessary to add the values of k, e.g. k₁+k₂→kand the values of k₁P and k₂P to give a new value kP. In an ellipticcurve, the addition of two points to provide a third point is performedaccording to set formula such that the addition of a point k₂P havingcoordinates (x, y) and a point k₁P having coordinates (x₂y₂) provides apoint k₃P whose x coordinate X₃ is given by:$x_{3} = {\frac{\quad{y_{1} \oplus y_{2}^{2}}}{\quad{x_{1} \oplus x_{2}}} \oplus \frac{\quad{y_{1} \oplus y_{2}}}{\quad{x_{1} \oplus x_{2}}} \oplus x_{1} \oplus {x_{2}.}}$

This computation may be significantly simplified using the normal basisrepresentation in a field F2^(m), as set out more fully in our PCTApplication Ser. No. PCT/CA/9500452, the contents of which areincorporated herein by reference. However, even using such advantageoustechniques, it is still necessary to utilize a finite field multiplierand provide sufficient space for code to perform the computation. Thisis not feasible within the practical limits of available “Smart” cards.

As noted above, the ATM used in association with the card has sufficientcomputing power to perform the computation but the transfer of thecoordinates of k₁P and k₂P from the card to the terminal wouldjeopardize the integrity of subsequent digital signatures as two of thestored signing elements would be known.

SUMMARY OF THE INVENTION

It is therefore an object of the present invention to obviate ormitigate the above disadvantages and facilitate the preparation ofadditional pairs of values from a previously stored set.

In general terms, one aspect of the present invention proposes tocompute on one computing device an initial step in the computation of acoordinate of a point derived from a pair of points to ihibitrecognition of the individual components, transfer such information toanother computing device remote from said one device, perform at leastsuch additional steps in said derivation at such other device to permitthe completion of the derivation at said one device and transfer theresult thereof to said one computing device.

Preferably, the initial step involves a simple field operation on thetwo sets of coordinates which provides information required in thesubsequent steps of the derivation.

Preferably also the additional steps performed at the other devicecomplete the derivation.

In a preferred embodiment, the initial step involves the addition of thex coordinates and the addition y coordinates to provide the terms(x₁⊕x₂) and (y₁⊕₂).

The addition of the coordinates is an XOR operation that can readily beperformed on the card and the results provided to the terminal.

In this manner, the coordinates (x, y) representing kP in a storedsigning element are not disclosed as insufficient information isprovided even with subsequent uses of the card. Accordingly, the xcoordinate of up to 500 signatures can be generated from an initial setof 32 stored signing elements.

The new value of k can be computed on the card and to avoid computingthe inverse k⁻¹, alternative known masking techniques can be utilized.

A further aspect of the present invention provides a method ofgenerating additional sets of points from the initial set that may beused individually as a new value of kP or in combination to generatestill further values of kP.

According to this aspect of the invention, the curve is an anomalouscurve and the Frobenius Operator is applied to at least one of thecoordinates representing a point in the initial set to provide acoordinate of a further point on the elliptic curve. The FrobeniusOperator Ø provides that for a point (x₁, y₁) on an anomalous curve,then Ø (x₁, y₁) is a point (x₁ ², y₁ ²) that also lies on the curve. Ingeneral, Ø^(i)(x₁, y₁) is a point x² ^(i) , y² ^(i) that also lies onthe curve. For a curve over the field 2^(m), there are m FrobeniusOperators so for each value of kP stored in the initial set, m values ofkP may be generated, referred to as “derived” values. The new value of kassociated with each point can be derived from the initial relationshipbetween P and ØP and the initial value of k.

For a practical implementation where 32 pairs of signing elements areinitially retained on the card and the curve is over the field 2¹⁵⁵,utilizing the Frobenius Operator provides in the order of 4960 possiblederived values and by combining pairs of such derived values as above inthe order of 10⁷ values of kP can be obtained from the initial 32 storedsigning elements and the corresponding values of k obtained to provide10⁷ session pairs.

Preferably, the stored values of kP are in a normal basisrepresentation. The application Frobenius Operator then simply requiresan “i” fold cyclic shift to obtain the value for an Ø^(i) operation.

According to a further aspect of the invention, there is provided amethod of generating signature components for use in a digital signaturescheme, said signature components including private information and apublic key derived from said private information, said method comprisingthe steps of storing private information and related public key as anelement in a set of such information, cycling in a deterministic butunpredictable fashion through said set to select at least one element ofsaid set without repetition and utilizing said one element to derive asignature component in said digital signature scheme.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other object and advantages of the present invention willbecome apparent from the following description when read in conjunctionwith the accompanying drawings wherein:

FIG. 1 is a schematic representation of a programmable credit card;

FIG. 2 is a schematic representation of a transaction performed betweenthe card and network;

FIG. 3 is a schematic representation of the derivation of a session pairfrom a pair of stored signing elements;

FIG. 4 is a schematic representation of one step in the transmission ofinformation shown in FIG. 2;

FIG. 5 is a schematic representation of a preferred implementation ofthe derivation of a session pair from two pairs of stored values; and

FIG. 6 is a schematic representation of a selection unit shown in FIG.1;

FIG. 7 is a schematic representation of a further embodiment of thederivation of session pairs from stored values.

FIG. 8 is an alternative schematic to the embodiment of FIG. 7; and

FIG. 9 is yet another alternative schematic to the embodiment of FIG. 7.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

The System

Referring therefore to FIG. 1, a programmable credit card 10 (referredto as a ‘SMART’ card) has an integrated circuit 12 embedded within thebody of card 10.

The integrated circuit includes a logic array 14, an addressable memory16 and a communication bus 18. The memory 16 includes a RAM section 20to store information, a pair of cyclic shift registers 22 for temporarystorage of information and programming code 24 for control of the logicarray 14 and communication bus 18. The array 14 includes an arithmeticunit 26 to provide modular arithmetic operation, e.g. additional andmultiplication, and a selection unit 28 controlled by the programmingcode 24. It will be appreciated that the description of the card 10 is aschematic and restricted to that necessary for explanation of thepreferred embodiment of the invention.

The card 10 is used in conjunction with a terminal 30, for example anautomated teller machine (ATM), that is connected to a network to allowfinancial transactions to be conducted. The terminal 30 includes akeypad 32 to select options and tasks and has computing capabilities toperform the necessary functions in conjunction with the card 10.

Access to the terminal 30 is obtained by inserting card 10 into a reader34 and entering a pass code in a conventional manner. The pass code isverified with the card 10 through communication bus 18 and the terminal30 activated. The keypad 32 is used to select a transaction, for examplea transfer of funds, between accounts and generate a message through thenetwork to give effect to the transactions, and card 10 is used to signthat transaction to indicate its authenticity. The signature and messageare transmitted over the network to the intended recipient and uponreceipt and verification, the transaction is completed.

The Card

The RAM section 20 of memory 16 includes digital data stringrepresenting a private key, a, which remains secret with the owner ofthe card and a corresponding public key Q=aP where P is the publiclyknown initial point on the selected curve. The RAM section 20 alsoincludes a predetermined set of coordinates of points, kP, on anelliptic curve that has been preselected for use in a public keyencryption scheme. It is preferred that the curve is over a finite field2^(m), conveniently, and by way of example only, 2¹⁵⁵, and that thepoints kP are represented in normal basis representation. The selectedcurve should be an anomalous curve, e.g. a curve that satisfiesy²+xy=x³+1, and has an order, e. Each point kP has an x coordinate and ay coordinate and is thus represented as two 155 digital data stringsthat are stored in the RAM 20. By way of example, it will be assumedthat the RAM 20 contains 32 such points identified generically as kP andindividually as k₀P, k₁P . . . k₃₁P. Similarly, their coordinates (x, y)will be individually designated x₀y₀ . . . x₃₁y₃₁.

The points kP are precomputed from the chosen parameters of the curveand the coordinates of an originating point P. The k-fold addition ofpoint P will provide a fitter point kP on the curve, represented by itscoordinates (x, y) and the value of k cannot be determined even if thecoordinates of points P and kP are known.

RAM 20 therefore contains the values of k associated with the respectivepoints kP so that a set of stored signing elements k,kP is available foruse in the signing of the transaction.

Signing

To sign a message m generated by the transaction, one session pairk_(j); k_(j)P is required and may be obtained from RAM 20 as set outmore filly below. Assuming that values k_(j), k_(j)P have been obtained,the signing protocol requires a signature r,s) where

-   -   r is the data string representing the x-coordinate, x_(j)        reduced mod q (q is a preselected publicly known divisor of e,        the order of the curve, i.e. q/e_(x)); and    -   s=[k⁻¹(h(m))+ar] mod q where h(m) is a q-bit hash of the message        m generated by the transaction.

In this signature, even though r is known, s contains the secret k andthe private key, a, and so inhibits the extraction of either.

The generation of s requires the inversion of the value k and since k isitself to be derived from the stored set of values of k, it isimpractical to store corresponding inverted values of possible k's.Accordingly, a known masking technique is used to generate components r,s¹ and u of a signature. This is done by selecting an integer, c, andcomputing a value u=ck. The value s⁻¹=c(h(m)+ar) mod q.

The signature value s can then be obtained by the recipient computings¹u⁻¹=k⁻¹[h(m)+ar].

The signature (r, s¹, u) can be computed on the card 10 and forwarded bybus 18 to the terminal 30 for attachment to the message m.

Generation of Session Pair

As noted above, in order to generate the signature (r,s), it isnecessary to have for session pair k and kP. Security dictates that eachsession pair is only used once and it is assumed that the number ofsigning elements stored in RAM 20 is insufficient for commercialapplication.

In the preferred embodiment, two techniques are used to generateadditional-session pairs to the stored signing elements. It will beappreciated that each technique may be used individually although thecombination of the two is preferred.

(i) Frobenius Operator

The first technique involves the use of the Frobenius Operator to deriveadditional session pairs from the stored signing elements and is shownin FIG. 3. The Frobenius Operator denoted Ø operates on a point P havingcoordinates (x, y) on an anomalous elliptic curve in the finite field2^(m) such that Ø^(i)P=(x² ^(i) ,y² ^(i) ). Moreover, the point Ø^(i)Pis also on the curve. In the field 2¹⁵⁵, there are 155 FrobeniusOperators so each point kP stored in memory 20 may generate 155 pointson the curve by application of the Frobenius Operators. Thus, for the 32values of kP stored, there are 4960 possible values of kP available byapplication of the Frobenius Operator.

To derive the value of Ø^(i)P, it is simply necessary to load the x andy coordinates of a point kP into respective shift registers 22 andperform an i-fold cyclic shift. Because the coordinates (x, y) have anormal basis representation, a cyclic shift in the register 22 willperform a squaring operation, and an i-fold cyclic shift will raise thevalue to the power 2^(i). Therefore, after the application of i clockcycles, the registers 22 contain the coordinates of Ø^(i)(kP) which is apoint on the curve and may be used in the signing protocol. The 155possible values of the coordinates (x, y) of Ø^(i)(kP) may be obtainedby simple cyclic shifting. The representations in the registers 22 maythen be used to obtain r.

Where the use of Frobenius Operator provides sufficient values forcommercial use, only one coordinate is needed to compute the value of rand so only a single shift register is needed. However, as will bedescribed below, further session pairs can be derived if both thecoordinates are known and so a pair of registers is provided.

For each value of Ø^(i)(kP), it is necessary to obtain the correspondingvalue of k Ø(P)=λP. λ is a constant that may be evaluated ahead of timeand the values of its first m powers, λ^(i) computed. The m values arestored in RAM 20.

In general, Ø^(i)(kP)→λ^(i)kP so the value of k associated withØ^(i)(kP) is λ^(i)k. Since k is stored for each value of kP in RAM 20and λ^(i) is also stored, the new value of k, i.e. λ^(i)k, can becomputed using the arithmetic unit 26.

As an alternative, to facilitate efficient computation of λ^(i) andavoid excessive storage, it is possible to precompute specific powers ofλ and store them in RAM 20. Because m is 155 in the specific example,the possible values of i can be represented as an 8-bit binary word. Thevalues of λ²→λ² are thus stored in RAM 20 and the value of λ representedin binary. The prestored values of λ² ^(i) are then retrieved asnecessary and multiplied mod e by arithmetic unit 26 to provide thevalue of λ^(i). This is then multiplied by k to obtain the new valueassociated with Ø^(i)(kP).

It will be seen therefore that new session pairs k, kP may be derivedsimply and efficiently from the stored signing elements of the initialset. These session pairs may be computed in real time, thereby obviatingthe need to increase storage capacity and their computation utilizessimple arithmetic operations that may be implemented in arithmetic unit26.

(ii) Combining Pairs

A further technique, illustrated schematically in FIG. 4, to increasethe number of session pairs of k and kP available, and thereby increasethe number of signatures available from a card, is to combine pairs ofstored signing elements to produce a new derived value. The addition oftwo points k₁P and k₂P will produce a third point k₃P that also lies onthe curve and may therefore be used for signatures.

The addition of two points having coordinates (x₁, y₁)(x₂y₂)respectively on a curve produces a new point having an x coordinate x₃where$x_{3} = {\frac{y_{1} \oplus y_{2}^{2}}{x_{1} \oplus x_{2}} \oplus \frac{y_{1} \oplus y_{2}}{x_{1} \oplus x_{2}} \oplus x_{1} \oplus x_{2}}$

In the finite field 2m, y1⊕y2 and x1⊕x2 is an XOR field operation thatmay be performed simply in logic array 16. Thus the respective values ofx₁, x₂ and y₁, y₂ are placed in respective ones of registers 22 andXOR'd. The resultant data string is then passed over communication bus16 to the terminal 30. The terminal 30 has sufficient computing capacityto perform the inversion, multiplication and summation to produce thevalue of x₃. This is then returned to register 22 for signature. Thepotential disclosure of x₃ does not jeopardize the security of thesignature as the relevant portion is disclosed in the transmission of r.

The value of k₁+k₂ is obtained from the arithmetic unit 26 within logicarray 16 to provide a value of k₃ and hence a new session pair k₃k₃P isavailable for signature

It will be appreciated that the value for y₃ has not been computed asthe signing value r is derived from x₃ rather than both coordinates.

It will be noted that the values of x₁ and x₂ or y₁ and y₂ are nottransmitted to terminal 30 and provided a different pair of points isused for each signature, then the values of the coordinates remainsundisclosed.

At the same time, the arithmetic functions performed on the card arerelatively simple and those computationally more difficult are performedon the terminal 30 .

Preferred Implementation of Generating Session Pairs

The above technique may of course be used with pairs selected directlyfrom the stored signing elements or with the derived values obtainedusing the Frobenius Operator as described above. Alternatively, theFrobenius Operator could be applied to the value of kP obtained fromcombining pairs of the stored signing elements to provide m possiblevalues of each derived value.

To ensure security and avoid duplication of session pairs, it ispreferred that only one of the stored signing elements should have theFrobenius Operator applied, as in the preferred embodiment illustratedin FIG. 5.

In this arrangement, the coordinates x₁, y₁ of one of the stored signingelements is applied to the registers 22 and cyclically shifted i timesto provide Ø^(i) k₁P.

The respective coordinates, x_(Ø) ₁ , y_(Ø) ₁ , are XOR'd with thecoordinates from another of the stored values k₂P and the summedcoordinates transmitted to ATM 30 for computation of the coordinate x₃.This is retransmitted to the card 10 for computation of the value r.

The value of k₁ is processed by arithmetic unit 26 to provide λ^(i)k andadded to k₂ to provide the new value k₃ for generation of signaturecomponent s. In this embodiment, from an original set of 32 storedsigning elements stored on card 10, it is possible to generate in theorder of 10⁷ session pairs. In practice, a limit of 10⁶ is realistic.

Selection of Pairs Stored Signing Elements

The above procedure requires a pair of stored signing elements to beused to generate each session pair. In order to preserve the integrityof the system, the same set cannot be used more than once and the pairsof stored values constituting the set must not be selected in apredictable manner.

This selection function is performed by the selection unit 28 whoseoperation is shown schematically in FIG. 6.

Selection unit 28 includes a set of counters 40, 42, 44 whose outputsaddress respective look up tables 46, 48, 50. The look up tables 46, 48,50 map the successive outputs of the counters to pseudo random outputvalues to provide unpredictability for the selection stored signingelements.

The 32 stored values of k and kP are assigned nominal designations aselements in a set 52 ranging from −15 to +15 with one designated ∞. Toensure that all available combinations of stored values are used withoutrepetition, the nominal designations are grouped in 16 pairs in anordered array 54 such that the difference (mod 31) in the assignedvalues of a pair uses all the numbers from 1 to 30. ∞ is grouped with 0.This array provides a first row of a notional matrix.

Successive rows 54 a, b, c, etc. of the notional matrix are developed byadding 1 to each assigned designation of the preceding row until 15 rowsare developed. In this way a matrix is developed without repetition ofthe designations in each cell. By convention ∞+1=∞.

Counter 42 will have a full count after 15 increments and counter 40will have a full count after 14 increments. Provided the fill countvalues of counters 40, 42 are relatively prime and the possible valuesof the counter 50 to select Frobenius Operator are relatively large, theoutput of counters 40, 42, 44 are mapped through the tables 46, 48, 50respectively to provide values for row and column of the notional matrixand the order i of the Frobenius Operator to be applied.

The output of counter 48 selects a column of the array 54 from which adesignation associated with a starting pair can be ascertained. In theexample of FIG. 6, the output of counter 42 is mapped by table 48 toprovide an output of 3, indicating that column 3 of array 54 should beselected. Similarly, the output of counter 40 is mapped through table 46to provide a count of 3 indicating that values in row 3 of the matrixshould be used. The assigned designations for a particular row are thenobtained by adding the row value to the values of the starting pair.This gives a new pair of assigned designations that indicate thelocations of elements in set 52. The signing elements are then retrievedfrom the set 52.

One of those pairs of signing elements is then output to a shiftregister 22 and operated upon by the designated Frobenius Operator Ø.The value of the Frobenius Operation is obtained from the output oftable 50 which maps counter 44. The value obtained from table 5 sets theshift clock associated with register 22 so that the contents of theregister 22 are cyclically shifted to the Frobenius value Ø indicated bythe output of table 50.

Accordingly, a new value for kP is obtained. The associated value of kcan be computed as described above with the arithmetic unit utilizingthe output of table 50 to determine the new value of λ. Accordingly, aderived value is obtained.

The derived value and signing element are then combined as described at(ii) above to provide a new session pair k, kP for use in the signingprocess.

The use of the counters 40, 42 provides input values for the respectivetables so that the array 54 is accessed in a deterministic butunpredictable fashion. The grouping of the pairs in the array 54 ensuresthere is no repetition in the selected elements to maintain theintegrity of the signature scheme.

Counter 44 operates upon one of the selected pairs to modify it so thata different pair of values is presented for combination on each use,even though multiple access may be made to the array 54.

The counters 40, 42, 44 may also be utilized to limit the use of theSmart Card if desired so that a forced expiry will occur after a certainnumber of uses. Given the large number of possible signatures, thisfacility may be desirable.

Alternative structures to the look up tables 46, 48, 50 may be utilized,such as a linear feedback shift register, to achieve a mapped output ifpreferred.

Further selection of the session pairs can be obtained by preprocessingof the contents of register 52 using one or more of the techniques shownin FIG. 7, 8 or 9.

In its simplest form, as shown in FIG. 7, a source row ‘s’ is selectedand the session pair k_(s), k_(s)P read from the register. A function isapplied to the session pair, which for example is the Frobeniusoperation as set out in FIG. 3 to provide a new session pair λ^(i)k_(s); φ^(i) (k_(s)P). A destination row, d, is then selected in thetable 52 and the new session pair combined with the contents of that rowto generate a new pair of values. The contents of the table 52 are thusupdated and a selection of pairs may be made for the generation of a newsession pair as described above.

The preprocessing may be repeated a number of times with differentsource rows s, and destinations, d, so that a thorough mixing isobtained. The selection of source rows, s, and destinations, d, may beselected deterministically using the counters 40, 42.

Alternatively, where the card 10 does not have adequate computing poweror a curve other than an anomalous curve is used, an alternativefunction may be applied to the selected row. For example, a sign may beapplied to the selected row prior to accumulation of a destination.

An alternative embodiment is shown in FIG. 8 where multiple source rowss₁ . . . s_(n) are used and the selected session pairs combined.Typically two source rows are used but more than two can be combined ifpreferred. In this case the combining may proceed as shown in FIG. 5 andthe new value accumulated at the destination row, d, of the register, Asthe x coordinate of the combined point will identify one of thecoordinates in the register 52, it is preferred to perform thecomputation on the card where feasible.

The selected session pairs may be modified prior to or subsequent totheir addition by application of a second function, e.g. signing, (asshown in ghosted outline) to provide further security in the updating ofthe register 52.

Where a random number generator is incorporated on the card 10, theabove preprocessing may be used effectively in the production of thecards. Referring to FIG. 9, an initial set of session pairs is injectedinto the register 52 of each card 10. A random number generator 60 isrun for an initial period and its output used to select the source anddestination rows of the register 52. The source row is accumulated withthe destination now so that the session pair of the set are changed witheach iteration. If preferred, a function such as a sign or a Frobeniusoperation may be applied to the selected session pair beforeaccumulation. The mixing continues for a further period with the outputof generator 60 being used periodically to select each row. Once theregister is considered thoroughly mixed, the session pairs may beselected and combined as described above for FIG. 6. As the output ofeach generator 60 will vary from device to device, the sets of sessionpairs in each register 52 will also vary from device to device.Therefore the same initial table may be used but different session pairswill be generated.

In summary, therefore, pairs of signing elements from an initial set ofstored values can be selected in a deterministic and unpredictablemanner and one of those elements operated upon by the Frobenius Operatorto provide additional values for the elements. The elements may then becombined to obtain a new session pair with a portion of the computationbeing performed off card but without disclosing the value of theelements. Accordingly, an extended group of session pairs is availablefor signing from a relatively small group of stored values.

While the present invention has been illustrated and described by meansof a specific embodiment, it is to be understood that numerous changesand modifications can be made therein without departing from the spiritand scope of the invention.

1. A method of generating a signature implemented over an elliptic curvepublic key encryption scheme utilizing information maintained secret inone computing device comprising the steps of: i) initiating thecomputation of a coordinate a point on the elliptic curve from a pair ofother points on said curve by performing on said one device an initialset of sufficient steps in the computation to inhibit recognition ofinformation pertaining to the identity of said other points; ii)transferring to another computing device remote from the one device theresults of said steps; iii) performing at least such additional steps insaid computation at said other device to permit the completion of saidcomputation at said one device; and iv) transferring the result of saidadditional steps to said one device for incorporation in said signature.2. A method according to claim 1 wherein said initial steps includes afield operation to combine information from each of said other points.3. A method according to claim 2 wherein said combined information isutilized in said additional steps.
 4. A method according to claim 3wherein said field operation includes the summation of the informationrepresenting one coordinate of each of said other points and thesummation of the information representing the other coordinate of eachof the other points.
 5. A method according to claim 1 wherein saidadditional steps complete said computation.
 6. A method according toclaim 4 wherein said information representing the summation of saidcoordinates is transferred from said one device to said other device. 7.A method according to claim 4 wherein said elliptic curve is over thefinite field 2^(m) and represents said coordinates in a normal basis insaid field.
 8. A method according to claim 7 wherein said additionalsteps includes cyclically shifting said information representing thesummation of said coordinates.
 9. A method according to claim 1 whereinsaid computation generates a single coordinate of said point, saidsingle coordinates being utilized in said signing.
 10. A method ofderiving a coordinate of a point on an anomalous elliptic curve over thefield GF2^(m) for utilization in a public key encryption schemeimplemented on said curve, said method comprising the steps of: i)storing a normal basis representation of each of a set of coordinates ofpoints on said curve; ii) retrieving said normal basis representation ofa coordinate of one of said points; iii) performing an i-fold cyclicshift on said retrieved normal basis representation of said onecoordinate; and iv) utilizing the resultant representation as acoordinate of a further point on the curve resulting from an i-foldapplication of the Frobenius Operation to said one point.
 11. A methodaccording to claim 10 wherein each of said set of coordinates representsa point on the curve that is an integer multiple k, of a starting pointP, and the i-fold application of the Frobenius Operation to said staringpoint P produces a new point Ø^(i)P where Ø^(i)P=λ^(i)P; said methodincluding the step of determining the integer k′ associated with saidfurther point by computer kλ^(i).
 12. A method of generating a sessionpair k, kP for use in a digital signature performed on an anomalouselliptic curve in the filed GF2^(m) where kP is a point on said curveresulting from the k fold addition of a starting point P where k is aninteger, said method comprising the steps of: i) storing a set ofinitial values of k and kP, as a normal basis representation in thefield GF2^(m); ii) selecting a coordinate of one of said points kP insaid set of initial values; iii) performing an i-fold cyclic shift onsaid coordinate to obtain a normal basis representation of thecoordinate after an i-fold application of a Frobenius Operation; iv)selecting the integer k associated with said one of said points; v)computing an integer value λ^(i)k where λ defines the relationshipbetween the start point P and a point ØP and Ø indicates a FrobeniusOperation; vi) utilizing the resultant representation of the coordinateand the value λ^(i)k as a session pair in a digital signature r,s wherer is derived from the representation of a coordinate of a point on thecurve and s is derived form the integer value associated with suchpoint, the message to be signed and r.
 13. A method of generatingsignature components for use in a digital signature scheme, saidsignature components including private information and a public keyderived from said private information, said method comprising the stepsof storing private information and related public key as an element in aset of such elements, cycling in a deterministic but unpredictablemanner through said set to select at least one element of said setwithout repetition and utilizing said one element to derive a signaturecomponent in said digital signature scheme.
 14. A method according toclaim 13 wherein a pair of said elements are selected from said set andsaid pair of elements combined to provide said signature components. 15.A method according to claim 14 wherein said value selected pair ofelements is operated upon to produce private information and a publickey derived from said one element prior to combination with the other ofsaid elements.
 16. A method according to claim 15 wherein a computationto combine said elements is initiated on one computing device andsufficient steps of said computation are performed on said one device toinhibit recognition of information in said elements and subsequent stepsare performed on another computing device after transfer of a partiallycompleted computation thereto.
 17. A method according to claim 14wherein said pairs of elements are selected by generating a pair ofindices indicating respective locations of said elements in said set.18. A method according to claim 17 wherein said indices are obtainedfrom an ordered array arranged to provide each possible combination ofindices.
 19. A method according to claim 18 wherein said indices areselected from a counter that increments with each signature.
 20. Amethod according to claim 19 wherein output from said counter ismodified to provide a non-sequential selection of said indices.